EV Observe - Configure sFlow Monitoring Prerequisites

Last modified on 2023/05/22 10:52

Note: The configuration of network hosts for exporting sFlow packets and samples to the sFlow collector will depend on each host. Contact your hardware integrator or vendor to find out more about the components to be set up.

The sFlow protocol (sampled Flow) is a protocol for exporting flows used on routers and switches for the real-time monitoring and analysis of network data traffic. It uses the concept of flows to capture data on network behavior, such as network traffic source and destination, applications using the network and the bandwidth allocated to these applications.

To use service templates based on the sFlow protocol, specific prerequisites must first be met.

  • You configure these prerequisites once only.
  • This is done in three steps:
    • Configure the sFlow collector to receive information on network traffic
    • Configure the monitored network hosts to send sFlow information to the collector
    • Check that sFlow is working correctly

sFlow network traffic monitoring: Operating principle

Display Steps
sFlow collect data - Operating principle.png
  • (1) sFlow agents: sFlow agents query network hosts (e.g. routers, switches) on a regular basis and process data in packets using packet-sampling technology. Records in the monitored network traffic are sent to the sFlow collector in nfcapd files.
  • (2) sFlow collector (sFlow Collector Storage): This collects the records sent by sFlow agents and stores them in the local database.
  • (3) Box: This retrieves information from the sFlow collector.
  • (4) Monitoring platform: This analyzes sFlow data collected by the Boxes using the NetworkAnalysis-sFlow service template. This displays data in a dashboard and sends alerts in the event of errors or malfunctioning in network peripherals.


  • The current sFlow protocol version is V5.
  • sFlow default parameters:
    • Sampling rate = 4096
    • Sampling size = 128
    • Maximum datagram size = 1400
    • sFlow collector port = 6343
    • Polling interval = 20
  • To implement sFlow network monitoring, you must define the following for each interface to be monitored:
    • A listening port
    • An access control list (ACL), used to authorize connection between the collector and the interface listening port
    • A destination folder for the interface flow exports


  • The server dedicated to collecting sFlow exports must not be used as a monitoring box.

Determine sizing requirements for the sFlow collector

  • Exporting flows will have an impact on the available bandwidth. You must therefore determine sizing requirements for the collector.
    • A network flow export can contain records for up to 30 conversations or flows.
    • A PC can send approximately 100 flows per minute.
    • A company with 1,000 nodes, each generating 200 flows per minute will cause approximately 200,000 flows in one minute, or approximately 3,300 flows per second.
  • Applications spawn numerous unique flows, namely Web browsers and most applications. Here are examples of some typical applications that are chatty:
    • Java, Adobe, antiviruses, Web browsers
    • Skype causes traffic to the DNS
    • Web pages spawning flows for images, ads, etc.
    • Email apps constantly checking the inbox
    • NetBios
  • A flow stored on the collector occupies 150 bytes of disk space. As such, we recommend that you set aside 2 GB per day and per batch of 100 nodes.
    • CPU = 4 vCPU
    • RAM = 8 GB
    • Disk space = 20 GB + 2 GB per day and per batch of 100 nodes
    • Network interface = 1 Gbps

Best Practice

  • Based on your network analysis requirements, you can use a dedicated server for collecting sFlow exports or one of the commissioned Boxes.
  • You can use the same Box to pool the sFlow collector and the Netflow collector.
  • Create a single destination folder for sFlow flow exports. In this folder, you can create one subfolder for each network interface to be monitored by sFlow.
  • To identify the flow export subfolders easily, you should name them using the host name and its IP address.


  • Destination folder ==> /network_analysis/sflow/
  • Export folder for Router A ==> /network_analysis/sflow/RouterA_172.16.10.2
  • Export folder for Router B ==> /network_analysis/sflow/RouterB_192.16.80.1

Procedure: How to configure sFlow monitoring prerequisites

Step 1: Configure the sFlow collector


Best Practice icon.png  If you already have an existing Netflow collector (Netflow Collector Storage), you can pool it according to the procedure below. If this is the case, you should not download the master. Apply the sFlow configuration directly to the Netflow collector.

1. Download the most recent Master Box available on the FTP site.

  • FTP site: software.servicenav.io.
  • Contact the EasyVista Support team to obtain the relevant login information.


  • The master will be dedicated to the sFlow collector.
  • See the section entitled Caution to determine sizing requirements for the collector.

2. Log in via SSH to the sFlow collector.

3. Note: Only for EV Observe versions earlier than 5.0 Run the commands below to download the install script.

Replace <Login> and <Password> with the relevant login and password. Contact the EasyVista Support team to obtain the relevant login information.

sudo su –
cd /root/
ftp -p software.servicenav.io
# Enter login & password
get xflow_installation.tar

tar xvf xflow_installation.tar

4. Depending on your EV Observe version, run the relevant commands below to start the collector installer.

  • EV Observe versions 4.19 and earlier

sudo su –
cd /root/xflow_installation

  • EV Observe versions 5.0 and later

sudo su –
cd /root/vsb_installation

5. Configure the sFlow collector in the order of the steps listed in the script.

  • Press any key to start the configuration.
    VSB installation script - Start.png
  • Enter y in the window for configuring the collector, followed by s to configure sFlow.
    VSB installation script - Storage collector configuration.png
  • Specify the following information and press the <Enter> key each time to validate your input.
    • Listening Port
    • Destination folder for sFlow exports (Directory)
    • Number of days that data will be stored on the collector (Data retention in days)
  • Save the configuration of the sFlow collector. To do so, enter y and press the <Enter> key.
    VSB installation script - Storage collector configuration - Finish.png

Step 2: Configure the network hosts

Note: The configuration of network hosts for exporting packets and samples to the sFlow collector will depend on each host. The procedure includes an example for a switch, HP-220-48G. For other hosts, contact your hardware integrator or vendor to find out more about the components to be set up.

General procedure

1. Log in to the network host where you want to enable sFlow.

2. Perform the steps below to configure sFlow for the network host.

  • Specify the destination for sFlow flows, i.e. IP address and port of the sFlow collector.
  • Define the sampling rate for the network interface (1 to 24).
  • Define the polling interval for collecting interface statistics.

3. Check that sFlow is correctly configured on the network host.

Example: Configuration for switch HP-220-48G

  • Log in to switch HP-220-48G.
  • Run the command below to specify the destination of sFlow flows.
    • <IP Address> with the IP address of the sFlow collector
    • <Port> with the collector port

(config)# sflow 1 destination <IP Address> <Port>

example  HP-2920-48G# sflow 1 destination 6343

  • Run the command below to define the sampling rate for the switch.
    • <Interface ID> with the network interface ID
    • <Sample every n packets> with the sampling rate, i.e. number of packets

(config)# sflow 1 sampling ethernet <Interface ID> <Sample every n packets>

example  Sample one packet out of every 128 ==> HP-2920-48G# sflow 1 sampling ethernet 47-48 128

  • Define the polling interval for collecting interface statistics.
    • <Interface ID> with the network interface ID
    • <Polling frequency> with the interval in seconds.

(config)# sflow 1 polling ethernet <Interface ID> <Polling frequency>

example  Polling every 30 seconds ==> HP-2920-48G# sflow 1 polling ethernet 47-48 30

  • Run the command below to check the sFlow configuration parameters for the switch.

(config)# show sflow 1 destination

example  HP-2920-48G# show sFlow 1 destination

The following results will be displayed.

Destination Instance: 1
sflow: Enabled
Datagrams Sent: 126822
Destination Address:
Receiver Port: 6343
Owner: Administrator, CLI-Owned, Instance 1
Timeout (seconds): 2147403334
Max Datagram Size: 1400
Datagram Version Support:


Step 3: Check that the sFlow collector is working correctly

1. Check that the flows exported from each network interface are stored correctly in the sFlow collector.

  • Log in to the sFlow collector.
  • Go to the folder dedicated to the storage of nfcapd exports.
  • Check the presence of files greater than 276 bytes in the following format, nfcapd.YYYYMMddhhmm.


  • nfcapd files are periodically created by the sfcapd process even if no data is loaded by sFlow agents. In this case, their size is 276 bytes.
  • To ensure that the sFlow configuration is operational, you must therefore check that file sizes are greater than 276 bytes. This means that they contain data loaded by sFlow agents.

example  Presence of files greater than 276 bytes in the following format, nfcapd.202209181140

2. Go over the steps for configuring sFlow in the event of an error, e.g. missing files.

Step 4: Configure the NetworkAnalysis-sFlow service template

1. Deploy one service for each application, source IP and destination IP to be monitored by sFlow.

          Open url.png See the detailed procedure

Step 5: Set up monitoring for the sFlow collector

1. Use the modèle-serveur-linux host template that includes the following service templates.

  • CPU
  • LIN-DiskIO
  • LIN-Diskspace
  • LIN-Network_Traffic
  • LIN-Swap

2. You can also use the following service templates.

  • LIN-DirectorySize: Used to monitor the size of destination folders.
  • Lin-ProcessName: Used to monitor that sfcapd processes are running correctly.

3. Use action templates to restart sfcapd processes if they are interrupted.

Powered by XWiki © EasyVista 2024